what is the correct way to feed an ssl certificate into phantomjs

Question

I need to access an internal site protected via client side certificates. Therefore to use phantomjs I exported the certificate I use in Firefox to access the site and converted it into private key and certificate using openssl command line. I now what phantomjs to present that certificate to the ssl server when accessing a page on the server. How do I do it?

I've tried this

phantomjs --ssl-certificates-path=/etc/pki  --ignore-ssl-errors=yes --proxy=myproxy:myport test.js

with /etc/pki being the path I've put the certificate and key

test.js is just this;-

page = require('webpage').create()
page.open('https://myprotectedsite/', function(status) {
console.log(status);
phantom.exit();
})

But it doesn't work. console.log(status) is always 'fail'

What do I need to do?

albciff · Answer 1 · 2017-02-16T08:38:36.003

12

The feature it's implemented you can see on github project, the thing is that it's not already included in the actual stable release (2.0.0), however it's planned to be included on 2.0.1 release. Meanwhile you can download a 2.0.1 build from here (the link is from git discussion).

I try using 2.0.1 version and I can access to the site correctly passing the SSL client authorization with the follow command:

Finally new PhantomJS 2.1 version was released which includes this feature, you can download from here and test the SSL client authorization using the follow command:

phantomjs --ssl-client-certificate-file=C:\tmp\clientcert.cer 
          --ssl-client-key-file=C:\tmp\clientcert.key 
          --ssl-client-key-passphrase=1111 
          --ignore-ssl-errors=true 
          C:\tmp\test.js

Notes

I only test this on Windows.

I try to use a PKCS12 file as keystore but seems that with this format doesn't work, so using openssl I extract the certificate and the private key using the follow commands:

Extract cert for --ssl-client-certificate-file parameter

openssl pkcs12 -nokeys -clcerts -in a.p12 -out clientcert.cer

Extract key for --ssl-client-key-file parameter

openssl pkcs12 -nocerts -in a.p12 -out clientcert.key

Additionally I use --ignore-ssl-errors=true to avoid the configuration of the trust store for the validation of the server certificate.

As script I use test.js which contains the same has OP show on the question:

page = require('webpage').create()
page.open('https://myproject', function(status) {
      page.render('C:/temp/connect.png');
      console.log(status);
      phantom.exit();
})

edited Feb 16 '17 at 08:38

answered Nov 06 '15 at 15:19

albciff

18,112
4
64
89

It's awesome that they added this in as a simple CLI flag finally isn't it? Thanks for all the work you did a year ago about this problem and for updating your accepted answer to include the CLI flags I posted about below a few months ago ^_^ – stevenhaddox Nov 22 '16 at 17:27
@stevenhaddox thanks for your comment, unfortunately this is not the accepted answer :), and also I added the CLI parameters in the first revision on 2015, I only edit the answer to make the format better because recently I recieve and upvote. At least it's nice to have this feature. – albciff Nov 22 '16 at 17:56
So you did! I completely overlooked your flags with the old format so this is definitely a welcomed change! Keep up the good work :) – stevenhaddox Nov 22 '16 at 18:04
Additionally I use --ignore-ssl-error=true ... it is errors; `--ignore-ssl-errors=true` – m3nda Feb 16 '17 at 02:39
@erm3nda right, in the command below I wrote it correctly, but then in the explanation I make the typo. Thanks. – albciff Feb 16 '17 at 08:38
If we deliberately add and trust the SSL cert, why do we add --ignore-ssl-errors=true? if we ignore all SSL errors, we don't need to feed the SSL cert. Sounds contradict to me. – Man Coding Apr 30 '18 at 13:32
You're mixing concepts, the `--ssl-client--` parameters are for client auth configuration, however the `--ignore--ssl-errors` is to avoid problems with the trust of the client with the server certificate – albciff May 02 '18 at 12:20

score 5 · Answer 2 · answered Sep 22 '16 at 11:07

Client certificate support has actually has been implemented since the original accepted answer. I'm posting this in order to help others who will stumble upon this question as well. You can find the parameters for enabling X509/PKI certificate support in PhantomJS's CLI instructions:

phantomjs --ssl-certificates-path=/path/to/pki/rootCA.pem
          --ssl-client-certificate-file=/path/to/pki/cert.pem
          --ssl-client-key-file=/path/to/pki/cert.np.key

score 4 · Accepted Answer · answered Jan 09 '14 at 12:26

4

I look for the decision too. it isn't implemented https://github.com/ariya/phantomjs/issues/10524

"--ssl-certificates-path" - It is used for the CA certificate

answered Jan 09 '14 at 12:26

sergiussergius

56
3

thanks. That's answered the question, even though it's a negative answer at least I know not to spend any more time with PhantomJS – John Small Jan 10 '14 at 14:57

what is the correct way to feed an ssl certificate into phantomjs

3 Answers3

Linked